Leak Testing ESS

Discussion in 'ESET Smart Security v3 Beta Forum' started by MasterTB, Oct 6, 2007.

Thread Status:
Not open for further replies.
  1. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    In the past several days I've been testing ESS against leak tests.
    We all know where Eset stands on this, we know that they are using heuristics to stop leaktests and programs that use leack techniques from even being downloaded to the PC by the antivirus, so, in theory you are protected right?? because those programs cannot enter your PC, right?? ......... WRONG...!!!!
    This is so terribly wrong that I don't even think Eset believes it. There are a lot of legitimate programs that use leak techniques to connect to the web that Eset is not doing anything about that, and it worries me big time!! ESS is not able to stop a single one of them. I use a program that came with my keyboard and that Hooks to the system and monitors keystrokes and controls all sort of multimedia and configurable keys and Eset does not even recognize it, still, Security Task Manager gives it a rate of 100!! in the scale of dangerous programs... what does Eset do about it? NOTHING.
    Eset does not detect OLE automation proceses, like the one used in PCflank, if you exclude the leaktest from the scans of the antivirus (remember that almost all Microsoft aplications use this technique to comunicate amog them) the program can easily run an instance of IE and connect to the web... this is a false protection from Eset and I believe we are being cheated.
    Thundebird can launch an instance of any web browser (or any other program required to run any kind of attachment) you use to connect to the web and Eset does not warn you about it... and so on and so forth...
    There is a known program to spoof porn pages called Supermegaspoof that connects to the internet and then spoofs a web page on IE to make it believe you are a paying registered customer to give you full acces, well ESS does not recognize the program as malicious and LETS IT RUN AND DO ITS BUSINES COMPLETELY FREE!!
    What are they doing about this?? Nothing so far. The firewall does not alert you of a program launching other, injecting DLL's, Modifying another process in memory and many other dangerous techniques, it does not prevent privilege escalations, etc.
    I believe this needs to be addresed if Eset really wants to position its suite against all the good firewalls out there.
     
  2. ASpace

    ASpace Guest

    What you are describing is not a firewall's job .

    You descibe some things which should be detected not by a firewall but by a behaviour analysis software instead .

    Firewall's main function is to monitor incoming/outgoing traffic and protect you from hackers . Does it protect against hackers - YES , it does . Does it detect
    - NO , because it is not a firewall's job.

    You can submit (the files or urls) of the files (keylogger program and the Supermegaspoof) to samples[at]eset.com so that ESET add them in case it is necessary :thumb: :thumb: :thumb:
     
  3. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    It is a firewall's job if a program is using another to connect to the internet without your consent and the firewall has no way to alert you about that. From what I understand about "Outbound Filtering" (and I can be wrong because I'm no expert) a Firewall must be aware of any attempts to connect to the net from the machine it is protecting and alert the user of any connection being made without the user's consent.
    What we can discuss is how to achieve that control, which is a whole other problem.
     
  4. MidiVeil

    MidiVeil Registered Member

    Joined:
    Oct 6, 2007
    Posts:
    1
    I know that Kaspersky Internet Security v7 has this proactive defense, you can monitor registry stuff, proccess injection and so on...
    I used it in the past, but then I discovered how fast my old machine is without Kaspersky, I did test beta versions, and used the forum to ask how to optimize it to run it with better performance. But even with lowest settings it still stole too much performance.
    If you want to control your pc more, try KIS, but I'll stick with NOD32 v3 RC1, it protects me, and I can use my pc without lags.
    Or you could try the Comodo Firewall, it's free, and you could stick with NOD32 and use Comodo to monitor this proactive stuff.
     
  5. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina

    Thank you, but as you say I'll stick with NOD32 too. I'm just saying that some of the techniques that are used for Leaking can be controlled by the firewall.
    I used Kerio for a long time and I still think it's one of the best out there, even when it fails a lot of leak tests, I don't use it anymore because the proxi on NOD32 interferes with the webfiltering abilities of Kerio. I tried comodo as well but I think the 3rd version -which is currently in Beta- has too much noise in it HIPS that is far from being usable by the common user.
    I'm trying ESS RC1 at the moment and I love the way the firewall behaves, the ability to create rules on the fly (the way that until now only Kerio offered) I'm just concerned that if somehow malware could pass thru the antivirus I can loose the battle because of that breach in the firewall, and that maybe something could be done to prevent it.
     
  6. ASpace

    ASpace Guest

    ESET's (NOD32) antivirus is one of the best . Have a look at the comperatives to see that it is from those that catch a lot of real threats .

    Should the AV misses something important , you still can control most of it using the firewall . E.g. if something is injected in explorer.exe and you receive a pop-up for explorer wanting outside connection , one should be smart enough to reject that "wish" because explorer.exe has no business to do outside (just an e.g.)

    We also haven't seen the Applicatiocation Modification prevention function in the firewall in action . Hope ESET can make a presentation of it similar to this one (it's good for the users better understand this function)
     
  7. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    That is only true if you don't have a rule created for IE to use HTTP ports, because if you do, and some malware hijacks it then NO ALERT will be displayed since IE already has a go on the firewall, and that's the problem I'm talking about here.
    Download PCFlank and you'll see for yourself. By the way, PCFlank, which is a leak test -and one of the hardest to control- is not recognized by ESS as malware!!!!!!! How does that make you fell o_O?
     
  8. ASpace

    ASpace Guest

    I mean Windows Explorer (explorer.exe) , not Internet Explorer (iexplore.exe)
     
  9. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    Yes, but explorer is "never" granted acces in my playbook so why worry about it. What I'm worried is about malware injectin itself into already trusted programs allowed to acces the web, and how the firewall has no means to deal with that if the AV does not catches the infection.
     
  10. froggy

    froggy Registered Member

    Joined:
    Oct 9, 2007
    Posts:
    3
    Well i rekon that the ESS firewall is pritty standard.
    For the average user (which it is intended 4) its fine.
    Remember this is esets first try at a firewall and i would say they havent done half bad.

    However if you want a fully featured firewall which does all of what ur talkin bout take a look at comodo.

    Version 3 is still in its beta and has HEAPS of little things that make it a very secure little program.

    However version 2 is very good, i wuld call it the best even.
     
Thread Status:
Not open for further replies.